Bug 1980128 (CVE-2021-32066)
| Summary: | CVE-2021-32066 ruby: StartTLS stripping vulnerability in Net::IMAP | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | andrelau, caswilli, hhorak, jaruga, joe, jorton, jprokop, kaycoth, mo, mtasaka, pvalena, ruby-maint, ruby-packagers-sig, s, strzibny, thoger, vanmeeuwen+fedora, vmugicag, vondruch |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ruby 3.0.2, ruby 2.7.4, ruby 2.6.8, rubygem-net-imap 0.2.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
Ruby's Net::IMAP module did not raise an exception when receiving an unexpected response to the STARTTLS command and the connection was not upgraded to use TLS. A man-in-the-middle attacker could use this flaw to prevent Ruby applications using Net::IMAP to enable TLS encryption for a connection to an IMAP server and subsequently eavesdrop on or modify data sent over the plain text connection.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-08-05 19:07:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1980567, 1980568, 1980569, 1980570, 1980571, 1980830, 1980831, 1980832, 1980833, 1980834, 1980835, 1980836, 1981779, 1981780, 1986813, 1995173, 1996668, 2053031, 2053032, 2053033, 2053034, 2053196, 2057434 | ||
| Bug Blocks: | 1980129 | ||
|
Description
Pedro Sampaio
2021-07-07 20:56:43 UTC
This was fixed upstream in Ruby versions 3.0.2, 2.7.4, and 2.6.8: https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/ Upstream commit in Ruby: https://git.ruby-lang.org/ruby.git/commit/?id=e2ac25d0eb66de99f098d6669cf4f06796aa6256 Note that Ruby 3.1 will no longer include Net::IMAP in its standard library, but will rather bundle net-imap gem. The fix for this issue in the net-imap repo is: https://github.com/ruby/net-imap/commit/adba6f0c3e5c5607c4822b9120322eb7e9a77891 Fixed in net-imap 0.2.2. HackerOne report with additional details: https://hackerone.com/reports/1178562 Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1980570] Created ruby:2.5/ruby tracking bugs for this issue: Affects: fedora-34 [bug 1980571] Created ruby:2.6/ruby tracking bugs for this issue: Affects: fedora-all [bug 1980567] Created ruby:2.7/ruby tracking bugs for this issue: Affects: fedora-all [bug 1980568] Created ruby:master/ruby tracking bugs for this issue: Affects: fedora-all [bug 1980569] The support for the STARTTLS was added to Net::IMAP in net-imap 0.1.0 / ruby 1.9.0. Ruby versions prior to 1.9.0 are not affected by this issue. Red Hat CloudForms 5.11 does not ship Ruby or RubyGem net-imap and thus not affected by the flaw. Ruby in the product consumed by respective RHEL repo. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3020 https://access.redhat.com/errata/RHSA-2021:3020 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-32066 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3559 https://access.redhat.com/errata/RHSA-2021:3559 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3982 https://access.redhat.com/errata/RHSA-2021:3982 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0672 https://access.redhat.com/errata/RHSA-2022:0672 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708 |